|Summary:||Fishing protection: KMail displays title in link not href|
|Product:||kmail2||Reporter:||Thomas Tanghus <thomas>|
|Component:||UI||Assignee:||kdepim bugs <kdepim-bugs>|
|Latest Commit:||http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce||Version Fixed In:||4.10.2|
|Attachments:||Example fishing attempt mail.|
Description Thomas Tanghus 2012-10-04 09:21:51 UTC
Scammers often use title in links so to disguise the href, and KMail doesn't do anything to protect from this. When hovering over a link in an HTML mail the title is shown both in the hover tip and in the status line. Reproducible: Always Steps to Reproduce: 1. Open a scam mail such as the attached one. 2. Hover over the links to here linkedin.com 3. Both hover tip and status line shows the title, not the link. Actual Results: As described in reproduction steps. Expected Results: The link should be shown both in hover tip and status line. I'm using KMail from within Kontact but that shouldn't matter. On purpose I haven't filed this as a feature request, because I think it's a basic security precaution that should be fixed.
Comment 1 Thomas Tanghus 2012-10-04 09:22:51 UTC
Created attachment 74328 [details] Example fishing attempt mail.
Comment 2 Laurent Montel 2012-10-04 10:54:39 UTC
And what do you want that we do ?
Comment 3 Thomas Tanghus 2012-10-04 11:18:57 UTC
Oh, I'm sorry if I didn't write that: Show the actual link in the href on hover instead of the title. Example anchor link (dunno if bugzilla allows markup?) <a href="http://http://rakibkhan.com/boWzhT98/index.html/" title="http://www.linkedin.com">Adjust your message settings.</a> On hover show the possibly malicious link http://http://rakibkhan.com/boWzhT98/index.html instead of http://www.linkedin.com
Comment 4 Thomas Tanghus 2013-03-19 12:54:09 UTC
I'm sorry to bother again, but I really think this is a grave security issue. MUAs should help protect users against fishing attempts, and currently KMail does the opposite. In Denmark we have a lot of mails spoofing e.g. the tax authorities addresses, and the general advice is to hover over the links in the mail to see where they point. I KMail this doesn't work, so you have to view the source of the mail.
Comment 5 Laurent Montel 2013-03-19 15:16:53 UTC
Sorry I didn't have time to do it. Will do it today or tomorrow. Will implement scam search feature for 4.11 Regards.
Comment 6 Thomas Tanghus 2013-03-19 15:36:49 UTC
Great! I didn't mean to bug you, it just looked like it wasn't a priority.
Comment 7 Laurent Montel 2013-03-19 15:54:35 UTC
Git commit d598e27a603cce276068898cf8d244f51b1003ce by Montel Laurent. Committed on 19/03/2013 at 16:51. Pushed by mlaurent into branch 'KDE/4.10'. Fix Bug 307818 - Fishing protection: KMail displays title in link not href FIXED-IN: 4.10.2 always shows url and not title M +0 -4 messageviewer/viewer_p.cpp http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce
Comment 8 Laurent Montel 2013-03-20 07:08:30 UTC
Git commit a40573f3758643708da5051df438daf4704da678 by Montel Laurent. Committed on 20/03/2013 at 08:07. Pushed by mlaurent into branch 'master'. Implement scam detection. Now we have a warning when we detect that a message can be a scam. (for the moment we detect if an anchor has a title and it shows an url which is not the url define in href) We will improve it. M +9 -0 messageviewer/mailwebview.h M +15 -2 messageviewer/mailwebview_webkit.cpp M +17 -12 messageviewer/scamdetection/scamdetection.cpp M +3 -5 messageviewer/scamdetection/scamdetection.h M +5 -0 messageviewer/scamdetection/scamdetectionwarningwidget.cpp M +3 -0 messageviewer/scamdetection/scamdetectionwarningwidget.h M +1 -0 messageviewer/viewer_p.cpp M +4 -1 messageviewer/webkitparthtmlwriter.cpp http://commits.kde.org/kdepim/a40573f3758643708da5051df438daf4704da678
Comment 9 Laurent Montel 2013-03-20 07:09:23 UTC
Thomas in 4.11 I created a scam detector. It's the beginning but I will add more check. Regards
Comment 10 Thomas Tanghus 2013-03-20 09:53:49 UTC
(In reply to comment #9) > Thomas in 4.11 I created a scam detector. > It's the beginning but I will add more check. This is awesome. More than I had asked for :)
Comment 11 Laurent Montel 2013-03-20 10:52:47 UTC
Now we have a widget to inform that message is perhaps a scam message. I will investigate more rules to check them. Regards